(Updated) Mo' Money Mo' Problems - Making even more money online the black hat way

Mo’ Money
Mo’ Problems
Making A LOT more money on
the Web the black hat way
Jeremiah Grossman
Founder & Chief Technology Officer

Trey Ford
Director, Solutions Architecture

BlackHat USA 2009
07.30.2009

© 2009 WhiteHat, Inc.

http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/

WhiteHat Security
• 250+ enterprise customers
• Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”
• 1000’s of assessments performed annually
• Recognized leader in website security
• Quoted thousands of times by the mainstream press

© 2009 WhiteHat, Inc. | Page 3

TechCrunch Layoff Tracker

Plan B
Hacker Stimulus
Package

Plan B Package
http://www.techcrunch.com/layoffs/

Hacker Stimulus

Get Rich or Die Trying, 2008...
Four figures: Solving CAPTCHAs
Five figures: Manipulating payment systems
High five figures: Hacking Banks
Six figures: Scamming eCommerce
High Six figures: Defraud Affiliate Networks
Seven figures: Gaming the stock market

http://www.youtube.com/watch?v=SIMF8bp5-qg

All still work just fine. :)
© 2009 WhiteHat, Inc. | Page

The target won’t know
How the breach was detected:
• 3rd party detection due to FRAUD (55%)
• 3rd party detection NOT due to fraud (15%)
• Employee Discovery (13%)
• Unusual System Performance (11%)


Don’t be that guy

Stephen Watt, TJX hack Gary McKinnon, described as
David Kernell, 20 year-
participant which the the 'UFO Hacker,' allegedly
old student University of
feds call “the largest broke into United States
Tennessee student,
identity theft in our military and NASA computers
allegedly hacked into
Nation’s history.” AKA to find evidence of
former VP candidate
(Operation Get Rich or government-suppressed
Sarah Palin’s Yahoo Mail.
Die Tryin) information.

?
= Albert "Segvec" Gonzalez Hacker 1

Victims Techniques
TJ Maxx SQL Injection
Barnes & Noble Sniffers
BJ’s Wholesale Wireless Security / War Driving
Boston Market Shared Passwords Hacker 2
DSW Shoe Warehouse Malware
Forever 21 Anti-Forensics
Office Max Backdoors
Sports Authority Social Engineering
Heartland Payment Systems
Hannaford Brothers
7-Eleven
Dave and Busters
http://www.wired.com/threatlevel/2009/08/tjx-hacker-charged-with-heartland/
http://government.zdnet.com/?p=5242
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/17/AR2009081701915.html?hpid=sec-tech

Attacker Targeting
Random Opportunistic
• Fully automated scripts
• Unauthenticated scans
• Targets chosen indiscriminately

Directed Opportunistic
• Commercial and Open Source Tools
• Authentication scans
• Multi-step processes (forms)

Fully Targeted
• Customize their own tools
• Focused on business logic
• Clever and proﬁt driven ($$$)

The Super Hacker?

Business Goals & Budget Justification
Risk Mitigation
"If we spend $X on Y, we’ll reduce of risk of loss of $A by B%."

Due Diligence
"We must spend $X on Y because it’s an industry best-practice."

Incident Response
"We must spend $X on Y so that Z never happens again."

Regulatory Compliance
"We must spend $X on Y because <insert regulation> says so."

Competitive Advantage
"We must spend $X on Y to make the customer happy."


Security Religions

Depth

Breadth


Holiday Grinch-bots
eBay’s "Holiday Doorbusters" promotion, administered by Strobe
Promotions, was giving away 1,000 items -- 2009 corvette,
plasma TVs, jet skis, diamond ring, etc -- to the first person to
find and buy specially-marked $1 items.

Some "contestants" used scripts, skipping to 'buy', without even
viewing the goods. Almost 100% of the prizes were 'won' this
way as evidenced by the visitor counters showing "0000."

Many were not happy and complaining in the forums.
Disappointed with eBays response, some took matters into their
their owns hands listing "other" items for $1.

"This is picture I took of my cat with my Cannon Powershot
Camera after she overheard that people where using scripting to
purchase HOLIDAY DOORBUSTERS items on eBay. Not
responsible for poor scripting techniques."

http://redtape.msnbc.com/2008/12/ebay-users-say.html


Recover someone else’s
password - it’s a feature!

?
=
© 2009 WhiteHat, Inc. | Page

“Appropriate” access to Email
Start with just an email address


Doing a little research


or ‘lots’ of research


... and you’ve got MAIL


“The most secure email
accounts on the planet”
To get into a StrongWebmail account, the account owner
must receive a verification call on their phone. This means
that even if your password is stolen, the thief can’t access
your email because they don’t have access to your telephone.

http://www.strongwebmail.com/


Break into my email: get $10,000.
Here is my username and password.
May 21, 2009

Break into my email: get $10,000. Here is my username and password.
Username: CEO@StrongWebmail.com
Password: Mustang85

StrongWebmail.com is offering $10,000 to the first
person that breaks into our CEO’s StrongWebmail
email account. And to make things easier, Strong
Webmail is giving the username and password away!

http://www.strongwebmail.com/news/secure-web-mail/break-into-my-
email-get-10000-here-is-my-username-and-password/


Lance James

TwitPwn

Aviv Raff
http://twitpwn.com/

Mike Bailey
http://www.asscert.com/


The easiest route
1) Registered an account and identified multiple XSS issues in
a matter of minutes (Rackspace WebMail software).
2) Sent ceo@strongwebmail.com an email laced with specially
crafted JavaScript malware
3) Emailed support@strongwebmail.com stating they won the
contest and sent details to the CEO encouraging them to
check the account.
4) Within minutes the email were opened, which initiated
several Ajax requests to the server, pilfering the inbox, and
sending the data to a remote logging script.

http://skeptikal.org/2009/06/strongwebmail-contest-won.html
http://www.ﬁreblog.com/exclusive-interview-with-strongwebmails-10000-hacker/


StrongWebmail said it was "not deterred" by the
contest's quick conclusion and would be launching a
new competition once this bug was ﬁxed. "We won't rest
until we have created the most secure e-mail in the
world," the company said.


Twitter Hacker
Hacker Croll initiates a password recovery for a Twitter
employee’s Gmail account. Reset email to secondary
account: ******@h******.com.
Guesses secondary Hotmail account, deactivated, but is able
to re-register the account. Resends the reset email and bingo.

Pilfers inbox for passwords to other Web services, sets the
Gmail password to the original so employee would not notice.

Used the same password to compromise employee's email
on Google Apps, steal hundreds of internal documents, and Owned!
access Twitter's domains at GoDaddy. Sent to TechCrunch.

Personal AT&T, MobileMe, Amazon, iTunes and other accounts
accessed using username/passwords and password recovery
systems.
“I’m sorry” - Hacker Croll
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/


Domain Name Hacking
Daniel Goncalves allegedly hacked in the owner of P2P.com
AOL email account, then used it to access their
Godaddy.com account to transfered ownership to himself.

In 2006, Goncalves put the domain up for sale on eBay.com,
where it sold for $111,000 to Mark Madsen, an NBA player.

In May of 2009 the NJ District Attorney indicted Goncalves
who was arrested and his computers seized. The problem is
domain names aren’t considered property.

According to the P2P .com theft victims, this marks the
first time in the US that a domain name theft has
resulted in an arrest.

server.com: $770,000 - vibrators.com: $1 million - yp.com:
$3.85 million - candy.com: $3 million - toys.com: $5 million
http://www.domainnamenews.com/featured/criminal-prosecution-domain-theft-underway/5675


Promo codes for cheapskates
• X% and $X off sales
• Free Shipping
• 2 for 1 Specials
• Add-Ons & Upgrades


MacWorld Hacker VIP
Client-Side Hacking
Back to Back Free MacWorld Platinum Pass
($1,695)

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html
http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html
http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html

Free Pizza Tastes Better
March 31, 2009...
1. Go to the Domino's Pizza site.
2. Order a medium one-topping pizza.
3. Enter coupon code “BAILOUT” FREE!
Still have to go pick it up!

http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotion
http://news.cnet.com/8301-13845_3-10207986-58.html
http://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html

Share the Knowledge

11,000 X $7.00 = $77,000
(per pizza)

“Spoke to a Domino's rep, who
told me the free-pizza code
was created internally for a
promotion that was never
actually green-lit.”


32

Scams that Scale

They make money, a little or a lot.

Generally not considered hacking.

Can do them over and over again.

Cookie-Stuffing
Instead of using affiliate links the “traditional” way:
<a href=”http://AffiliateNetwork/p?
program=50&affiliate_id=100/”>really cool product!</a>

Force affiliate requests with “Cookie Stuffing”:
<iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”
width=”0” height=”0”></iframe>

Remove pesky referer by placing code on SSL pages:
“Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if
the referring page was transferred with a secure protocol.” - RFC 2616

Affiliate networks will get suspicious of
all these requests with no referers


Referer Manipulation
High traffic site, owned by the SEO and unknown by
Affiliate network. IFRAME the site with “clean” referer.
<iframe src=”http://niceseo/” width=”0”
height=”0”></iframe>

Clean site, also owned by SEO, serves up cookie-
stuffing code only to requests with referer of the
black-hat website.
<iframe src=”http://AffiliateNetwork/p?
program=50&affiliate_id=100/” width=”0”
height=”0”></iframe>

To the affiliate Affiliate network everything looks
100% legit when investigating. They will never see
cookie-stuffing code. Mind the impression ratio!


Manufacturing Links
Identify websites with a high PR or traffic, with
site: search features, whose link results do not
have “nofollow”, URLs block by robots.txt, and do
not redirect.

“Powered by Google”, but others may work as well. Use a link farm
to link to search results pages so they get indexed.
<a href=”http://www.weather.com/search/websearch?
Keywords=site:mysite.com+keyword&start=0&num=10&twx=on&type=web”>
keyword pair</a>


Google Maps vs. Spammers

http://blumenthals.com/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winning/
http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html


Google Maps vs. Spammers


Google Earth Recon
Roofer Tom Berge used the aerial photographs of
towns across the world to pinpoint museums,
churches and schools across south London with
lead roof tiles (darker colour).
Berge and his accomplices used ladders and
abseiling ropes to strip the roofs and took the lead
($164,980) in a stolen vehicle to be sold for scrap.
Sentenced to eight months in prison – suspended for
two years – after confessing to over 30 offenses.

http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.html
http://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-wi
valuable-lead-roofs.html


Returning other people’s iPods
Nicholas Arthur Woodhams, 23 from Kalamazoo,
Michigan set up shop online to repair iPods.

Abused Apple's Advance Replacement Program
by guessing iPod serial numbers backed with
Visa-branded gift cards ($1 pre-auth).

Repeated the process 9,075 times, resold the
“replacements” at heavily discounted prices ($49),
and denied any Apple credit charges.

Charged with trademark infringement, fraud, and
money-laundering.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_head
http://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.html
http://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.html
http://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html


Scams that scale
“Federal prosecutors have asked U.S. District
Court Judge Robert Bell to let them seize real
estate and personal property -- including a 2004
Audi and a 2006 drag racer -- as well as more
than $571,000 in cash belonging to Woodhams,
all alleged to be proceeds from his scam.”


Jackpotting the iTunes Store
A group of U.K.-based DJs provided 19 songs, to distributor
Tunecore, who put them for sale on iTunes and Amazon.

Once online, the DJs opened accounts with 1,500 stolen
or cloned US and British credit cards to buy $825,000
worth of their albums $10 at a time over a couple month.

Apple and Amazon paid roughly $300,000 in royalties,
which boosted their chart rankings, resulting in even
more sales and increased royalties for the DJs.

Apple received 'stop payment' orders from credit card
companies, which led to the DJs’ arrest on suspicion of
conspiracy to commit fraud and money laundering.

http://www.metro.co.uk/news/article.html?DJs_arrested_in_
%A3200,000_iTunes_scam&in_article_id=682928&in_page_id=34


Long Haul Hacking
Viachelav Berkovich used the DoT website (Safersys.org) to
change the contact information for a legitimate trucking
company to a controlled address and phone number.
Brokers used web-based "load boards" to advertise cargo in
need of transport where the hackers negotiate deals worth
thousand dollars. They'd outsource the jobs while posing as
the legitimate company whose identity they’d hijacked.
Once the cargo was delivered, the hackers invoiced their
customer and pocketed the cash. When the company that
actually drove the truck tried to get paid, they’d find the firm
who’d supposedly hired them didn’t know anything about it.

Received between 2 and 5 years in prison for computer-
fraud, ordered to pay $2,773,074 in restitution to ~300
victims, of which $1.4 million was recovered.

http://www.wired.com/threatlevel/2009/08/truckers/


45

Mythical Super Hacker

Anyone can do this stuff!

Skill does not affect return on
investment.

Competitors got caught because they
didnʼt try not to.

Will Hack for $, £, ¥, €, R$, ₨


Online Permit Management
In 2006, the Brazilian environment ministry did away with
paper dockets and implemented an online program to
issue permits documenting how much land a company
could legally log and tracking the timber leaving the
Amazon state of Para.

"We've pointed out before that this method of
controlling the transport of timber was subject to fraud.”

André Muggiati
Campaigner Amazon office in Manaus
Greenpeace International


Amazonian Rainforest Hack
Allegedly 107 logging companies hired
hackers to compromise the system,
falsifying online records to increase the
timber transport allocations. Police
arrested 30 ring leaders. 202 people
are facing prosecution.
As a result, an estimated 1.7 million
cubic meters of illegal timber have
been smuggled out of the Amazon,
enough to fill 780 Olympic-sized
swimming pools.

http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo
http://www.scientiﬁcamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16


$833,000,000
Same computer system is used in
two other Brazilian states.
http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazo
http://www.scientiﬁcamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16


Online Permit Managers


Hiring the Good Guys
KPMG audited 70 FAA Web
applications and identified
763 high-risk vulnerabilities

“By exploiting these vulnerabilities, the public could
gain unauthorized access to information stored on
Web application computers. Further, through these
vulnerabilities, internal FAA users (employees,
contractors, industry partners, etc.) could gain
unauthorized access to ATC systems because the
Web applications often act as front-end interfaces
(providing front-door access) to ATC systems.”

http://news.cnet.com/8301-1009_3-10236028-83.html
http://www.darkreading.com/security/government/showArticle.jhtml
http://www.oig.dot.gov/StreamFile?ﬁle=/data/pdfdocs/ATC_Web_Report.pdf


Attack Classification Misnomer
Dial is a measurement of target focus, NOT skill.


Operationalizing
1) Where do I start?
Locate the websites you are responsible for
Risk
2) Where do I do next?
Rank websites based upon business criticality

3) What should I be concerned about first?
Random Opportunistic, Directed Opportunistic, Fully
Targeted
Resources
4) What is our current security posture?
Vulnerability assessments, pen-tests, traffic What is your organizations
monitoring tolerance for risk (per website)?

5) How best to improve our survivability?
SDL, virtual patch, configuration change,
decommission, outsource, version roll-back, etc.


Operational Website Risk Management


‘Plan B’ Problems

Albert "Segvec" Gonzalez

“...threw himself a $75,000 birthday party and at one
point lamented he had to count more than $340,000
by hand because his money counter had broken.”


‘Plan B’ Problems


Questions?
Jeremiah Grossman
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com

Trey Ford
Blog: http://treyford.wordpress.com/
Twitter: http://twitter.com/treyford
trey.ford@whitehatsec.com

WhiteHat Security
http://www.whitehatsec.com/

© 2009 WhiteHat, Inc.

(Updated) Mo' Money Mo' Problems - Making even more money online the black hat way

Recommended

Recommended

More Related Content

More from Jeremiah Grossman

More from Jeremiah Grossman (20)

Recently uploaded

Recently uploaded (20)

(Updated) Mo' Money Mo' Problems - Making even more money online the black hat way